Identity and Access Management
The organization follows best practices by implementing the majority of the following:
- Create the organization's individual accounts for anyone that requires access to the virtual infrastructure or APIs or use Identity and Access Management (IAM) federation from enterprise identity management system
- Use groups or roles to assign permissions to IAM users
- Enable multi factor authentication for all IAM users
- Use roles for applications that run on EC2 instances
- Delegate by using roles instead of sharing credentials
- Rotate credentials regularly
- Store SSH keys securely to prevent disclosure, and promptly replace lost or compromised keys.
Access Control Policies for 18F
18F information systems enforce approved authorizations for logical access to information and system resources in accordance with the 18F Access Control Policy Section 3 Access Enforcement which states:
- 18F must enforce approved authorizations for logical access to its information systems in accordance with all applicable federal and 18F policies.
- 18F must provide access enforcement through the use of access control lists, access control matrices, and cryptography to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system.
- 18F must employ access enforcement mechanisms at the application level, when necessary, to provide increased information security for the organization.
Application Security Groups
18F has created specific Cloud.Gov security groups associated with VPCs to provide full control over inbound and outbound traffic. 18F has created a specific set of VPCs (Live production and staging) for its Cloud.Gov implementation. All VPCs have subnets used to separate and control IP address space within each individual VPC. Subnets must be created in order to launch Availability Zone (AZ) specific services within a VPC. 18F has setup VPC Peering between the Staging VPC and the CF Live production VPC.
User Account and Authentication (UAA) Server
18F follows best practices by implementing the majority of the following:
- Use RBAC model to restrict users’ access to only what is necessary to complete their tasks.
- Use a strong passphrase for both Cloud.gov user account and SSH keys.
- Configure UAA clients and users using a BOSH manifest. Limit and manage these clients and users as you would any other kind of privileged account.